add influx listener to telegraf

.gitea/workflows/nix-flake-check.yaml

@@ -1,5 +1,8 @@
 name: nix flake check
-on: [push]
+on:
+  push:
+    branches:
+      - 'renovate/**'
 
 jobs:
   nix-flake-update:

flake.nix

@@ -3,16 +3,23 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
-
     flake-utils.url = "github:numtide/flake-utils";
-    deploy = {
-      url = "github:serokell/deploy-rs";
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nurpkgs.url = "github:nix-community/NUR";
-    sops-nix.url = "github:Mic92/sops-nix";
-    lanzaboote.url = "github:nix-community/lanzaboote";
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nur = {
+      url = "github:nix-community/NUR";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -23,26 +30,8 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    rycee-nurpkgs = {
-      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        flake-utils.follows = "flake-utils";
-      };
-    };
-
-    nixpkgs-f2k = {
-      url = "github:fortuneteller2k/nixpkgs-f2k";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    devenv = {
-      url = "github:cachix/devenv/latest";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     nixvim = {
-      url = "git+https://git.fuckwit.dev/fuckwit/nixvim";
+      url = "git+https://gitlab.fuckwit.dev/fuckwit/nixvim";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };

home-modules/firefox/default.nix

@@ -76,10 +76,10 @@ in {
     enable = mkEnableOption "Apply personal firefox defaults.";
     package = mkPackageOption pkgs "firefox-bin" {};
 
-    extensions = mkOption {
+    extraExtensions = mkOption {
       type = types.listOf types.package;
-      default = defaultExtensions;
-      description = "Firefox extensions to install.";
+      default = [];
+      description = "Extra Firefox extensions to install.";
     };
 
     settings = mkOption {
@@ -102,7 +102,8 @@ in {
           isDefault = true;
           id = 0;
           userChrome = builtins.readFile ./userChrome.css;
-          inherit (cfg) extensions settings;
+          extensions = defaultExtensions ++ cfg.extraExtensions;
+          inherit (cfg) settings;
         };
       };
     };

home/configurations.nix

@@ -1,29 +1,18 @@
 {
   nixpkgs,
-  nurpkgs,
+  nur,
   home-manager,
-  devenv,
   nixvim,
   ...
 }: let
   pkgs = import nixpkgs rec {
     system = "x86_64-linux";
-    overlays = [(final: prev: {nixvim = nixvim.packages.${system}.default;}) nurpkgs.overlays.default];
-  };
-
-  nur = import nurpkgs {
-    inherit pkgs;
-    nurpkgs = pkgs;
+    overlays = [(final: prev: {nixvim = nixvim.packages.${system}.default;}) nur.overlays.default];
   };
 in {
   work = home-manager.lib.homeManagerConfiguration {
     inherit pkgs;
 
-    extraSpecialArgs = {
-      inherit devenv; # TODO: Remove dependency on devenv
-      ff-addons = nur.repos.rycee.firefox-addons;
-    };
-
     modules = [
       ../home-modules/modules-list.nix
       ./work

home/framework/default.nix

@@ -28,6 +28,8 @@
     ./programs
   ];
 
+  services.udiskie.enable = true;
+
   accounts.email.accounts = {
     patrick = {
       primary = true;

home/framework/programs/firefox/userChrome.css

@@ -1,76 +0,0 @@
-/* Source file https://github.com/MrOtherGuy/firefox-csshacks/tree/master/chrome/toolbars_below_content_v2.css made available under Mozilla Public License v. 2.0
-See the above repository for updates as well as full license text. */
-
-/* This requires Firefox 133
- * By default tabs will be the top-most toolbar, but you can set the following pref to move them to bottom:
- * userchrome.toolbars-below-content.tabs-at-bottom.enabled
- */
-
-#navigator-toolbox{
-  display: contents;
-  --uc-navbar-height: 40px;
-}
-:root[uidensity="compact"] #navigator-toolbox{
-  --uc-navbar-height: 34px;
-}
-#main-window > body > #browser,
-.global-notificationbox,
- #tab-notification-deck,
- #toolbar-menubar{
-  order: -1;
-}
-
-#TabsToolbar{
-  max-height: calc((var(--tab-min-height) + 2 * var(--tab-block-margin,0px)) * var(--multirow-n-rows,1));
-}
-#toolbar-menubar,
-#TabsToolbar{
-  background: inherit !important;
-}
-@media (-moz-platform: linux){
-  :root[sizemode="normal"][customtitlebar] #toolbar-menubar{
-    border-top-left-radius: inherit;
-    border-top-right-radius: inherit;
-  }
-  #toolbar-menubar,
-  #TabsToolbar{
-    opacity: 1 !important;
-    will-change: unset !important;
-  }
-  #notification-popup[side="top"]{
-    margin-top: calc(-2 * var(--panel-padding-block) - 40px - 32px - 8.5em) !important;
-  }
-  #permission-popup[side="top"]{
-    margin-top: calc(-2 * var(--panel-padding-block) - 2.5em);
-  }
-}
-
-#nav-bar,
-#PersonalToolbar{
-  background-image: linear-gradient(var(--toolbar-bgcolor),var(--toolbar-bgcolor)), var(--lwt-additional-images,var(--toolbar-bgimage)) !important;
-  background-position: top,var(--lwt-background-alignment);
-  background-position-y: calc(0px - var(--tab-min-height) - 2*var(--tab-block-margin,0px));
-  background-repeat: repeat,var(--lwt-background-tiling);
-}
-:root[lwtheme-image] #nav-bar,
-:root[lwtheme-image] #PersonalToolbar{
-  background-image: linear-gradient(var(--toolbar-bgcolor),var(--toolbar-bgcolor)),var(--lwt-header-image), var(--lwt-additional-images,var(--toolbar-bgimage)) !important;
-}
-#PersonalToolbar{
-  background-position-y: calc(0px - var(--tab-min-height) - 2*var(--tab-block-margin,0px) - var( --uc-navbar-height));
-}
-#urlbar[breakout][breakout-extend]{
-  display: flex !important;
-  flex-direction: column-reverse !important;
-  transform: translateY(calc(var(--urlbar-container-height) - 100%));
-}
-#urlbar[breakout-extend]:not([usertyping]) > .urlbar-input-container::after{
-  display: flex;
-  content: "";
-  height: calc(var(--urlbar-min-height) - 2px - 2 * var(--urlbar-container-padding));
-}
-.urlbarView-body-inner{ border-top-style: none !important; }
-
-#TabsToolbar{
-  order: 3
-}

home/framework/programs/hyprland/default.nix

@@ -28,11 +28,13 @@
         monitor = "";
         path = "screenshot";
 
-        blur_passes = 1;
+        blur_passes = 2;
         blur_size = 7;
         noise = 1.17e-2;
       };
 
+      auth.fingerprint.enabled = true;
+
       label = [
         {
           monitor = "";
@@ -58,8 +60,8 @@
         monitor = "";
         size = "200,50";
         outline_thickness = 2;
-        dots_size = 0.2; # Scale of input-field height, 0.2 - 0.8
-        dots_spacing = 0.35; # Scale of dots' absolute size, 0.0 - 1.0
+        dots_size = 0.2;
+        dots_spacing = 0.35;
         dots_center = true;
         outer_color = "rgba(0, 0, 0, 0)";
         inner_color = "rgba(0, 0, 0, 0.2)";

home/work/default.nix

@@ -1,7 +1,7 @@
 {
   config,
   pkgs,
-  devenv,
+  # devenv,
   ...
 }: {
   home = {

home/work/pkgs.nix

@@ -1,15 +1,10 @@
 {pkgs, ...}:
 with pkgs; [
   age # Modern encryption tool with small explicit keys
-  arandr # simple GUI for xrandr
   atuin
   dig # dns command-line tool
   fd # "find" for files
-  # geckodriver # remote controll firefox
-  helix # modal editor
   htop # process monitor
-  hyperfine # command-line benchmarking tool
-  # i3lock # screen locker
   imagemagick # selection screenshot stuff
   just # just a command runner
   keepassxc # password manager
@@ -22,21 +17,14 @@ with pkgs; [
   mtr # traceroute
   mumble # voice call client
   ncdu # disk space info (a better du)
-  # neovim-unwrapped # best code editor on the planet
   networkmanagerapplet # systray applet for NetworkManager
-  # nitrogen # wallpapger manager
-  nushell # A modern shell written in Rust
   ouch # painless compression and decompression for your terminal
   pavucontrol # pulseaudio volume control
   playerctl # music player controller
   podman-compose # podman manager
-  restic # incremental backup tool
   ripgrep # fast grep
-  # rocketchat-desktop # company chat
   sops # Mozilla sops (Secrets OPerationS) is an editor of encrypted files
   thunderbird # email client
-  # xclip # clipboard support
-  # xsel # clipboard support (also for neovim)
   zeal # offline documentation browser
   zellij # A terminal workspace with batteries included
   wl-clipboard

home/work/programs/firefox/default.nix

@@ -1,106 +1,6 @@
-{
-  pkgs,
-  lib,
-  stdenv,
-  specialArgs,
-  ...
-}: let
-  extensions = with specialArgs.ff-addons; [
-    bitwarden
-    darkreader
-    i-dont-care-about-cookies
-    privacy-badger
-    ublock-origin
-    # tree-style-tab
-    # tridactyl
-    keepassxc-browser
-  ];
-
-  userChrome = builtins.readFile ./userChrome.css;
-
-  # ~/.mozilla/firefox/PROFILE_NAME/prefs.js | user.js
-  settings = {
-    "app.normandy.first_run" = false;
-    "app.shield.optoutstudies.enabled" = false;
-
-    # disable updates (pretty pointless with nix)
-    "app.update.channel" = "default";
-
-    "browser.contentblocking.category" = "standard"; # "strict"
-    "browser.ctrlTab.recentlyUsedOrder" = false;
-
-    "browser.download.viewableInternally.typeWasRegistered.svg" = true;
-    "browser.download.viewableInternally.typeWasRegistered.webp" = true;
-    "browser.download.viewableInternally.typeWasRegistered.xml" = true;
-
-    "browser.search.region" = "DE";
-
-    "browser.shell.checkDefaultBrowser" = false;
-    "browser.tabs.loadInBackground" = true;
-    "browser.urlbar.placeholderName" = "EnteEnteLauf";
-    "browser.urlbar.showSearchSuggestionsFirst" = false;
-
-    # disable all the annoying quick actions
-    "browser.urlbar.quickactions.enabled" = false;
-    "browser.urlbar.quickactions.showPrefs" = false;
-    "browser.urlbar.shortcuts.quickactions" = false;
-    "browser.urlbar.suggest.quickactions" = false;
-
-    # disable tab preview on hover
-    "browser.tabs.hoverPreview.enabled" = false;
-    "browser.tabs.hoverPreview.showThumbnails" = false;
-
-    "distribution.searchplugins.defaultLocale" = "en-US";
-
-    "doh-rollout.balrog-migration-done" = true;
-    "doh-rollout.doneFirstRun" = true;
-
-    "general.useragent.locale" = "en-US";
-
-    "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
-
-    "extensions.extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
-    "extensions.update.enabled" = false;
-    "extensions.webcompat.enable_picture_in_picture_overrides" = true;
-    "extensions.webcompat.enable_shims" = true;
-    "extensions.webcompat.perform_injections" = true;
-    "extensions.webcompat.perform_ua_overrides" = true;
-
-    "privacy.donottrackheader.enabled" = true;
-
-    # Yubikey
-    "security.webauth.u2f" = true;
-    "security.webauth.webauthn" = true;
-    "security.webauth.webauthn_enable_softtoken" = false;
-    "security.webauth.webauthn_enable_usbtoken" = true;
-
-    "network.dns.ipv4OnlyDomains" = "google.com";
-
-    "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
-    "layout.word_select.stop_at_punctuation" = false;
-  };
-in {
-  programs.firefox = {
+{pkgs, ...}: {
+  personal.firefox = {
     enable = true;
-
-    package = pkgs.firefox-bin;
-
-    profiles = {
-      default = {
-        isDefault = true;
-        id = 0;
-        inherit extensions settings userChrome;
-      };
-    };
-
-    # webapps = {
-    #   rocket-chat = {
-    #     url = "https://chat.hetzner.company";
-    #     id = 1;
-
-    #     genericName = "Internet Messenger";
-    #     categories = ["Network" "InstantMessaging"];
-    #   };
-    # };
+    extraExtensions = with pkgs.nur.repos.rycee.firefox-addons; [keepassxc-browser];
   };
 }

home/work/programs/firefox/userChrome.css

@@ -1,88 +0,0 @@
-/* Source file https://github.com/MrOtherGuy/firefox-csshacks/tree/master/chrome/toolbars_below_content.css made available under Mozilla Public License v. 2.0
-See the above repository for updates as well as full license text. */
-
-/* Moves tabs toolbar, bookmarks toolbar and main toolbar to the bottom of the window, and makes tabs be the bottom-most toolbar */
-
-/* By default, menubar will stay on top with two options to select it's behavior - see below */
-
-@-moz-document url(chrome://browser/content/browser.xhtml){
-  
-  #titlebar{ -moz-appearance: none !important; }
-
-  #navigator-toolbox > div{ display: contents }
-  .global-notificationbox,
-  #mainPopupSet,
-  #browser,
-  #customization-container,
-  #tab-notification-deck{
-    order: -1;
-  }
-
-  /* Remove the next row if you want tabs to be the top-most row */
-  #titlebar{
-    order: 2;
-  } 
-
-  #toolbar-menubar{
-    position: fixed;
-    display: flex;
-    width: 100vw;
-    top: 0px;
-    -moz-window-dragging: drag;
-  }
-  /* Remove bottom border that won't do anything useful when at bottom of the window */
-  #navigator-toolbox{ border-bottom: none !important; }
-
-  #toolbar-menubar > spacer{ flex-grow: 1 }
-
-  #urlbar[breakout][breakout-extend]{
-    display: flex !important;
-    flex-direction: column-reverse;
-    bottom: 0px !important; /* Change to 3-5 px if using compact_urlbar_megabar.css depending on toolbar density */
-    top: auto !important;
-  }
-
-  .urlbarView-body-inner{ border-top-style: none !important; }
-
-  /* Yeah, removes window controls. Likely not wanted on bottom row  */
-  #TabsToolbar > .titlebar-buttonbox-container{ display: none }
-  #toolbar-menubar > .titlebar-buttonbox-container{ order: 1000 }
-
-  /* Fix panels sizing */
-  .panel-viewstack{ max-height: unset !important; }
-
-  /* Fullscreen mode support */
-  :root[sizemode="fullscreen"] #navigator-toolbox{ margin-top: 0 !important }
-  :root[sizemode="fullscreen"] #navigator-toolbox[style*="margin-top"]{ visibility: collapse }
-  #fullscr-toggler{ bottom: 0; top: unset !important; }
-  
-  /* These three rules exist for compatibility with autohide_toolbox.css */
-  #navigator-toolbox{ bottom: 0px; transform-origin: bottom }
-  #main-window > body > box{ margin-top: 0 !important; }
-  #toolbar-menubar{ z-index: 1; background-color: var(--lwt-accent-color,black); }
-  
-  :root[BookmarksToolbarOverlapsBrowser] #navigator-toolbox{
-    margin-block: calc(-1 * var(--bookmarks-toolbar-height)) 0 !important;
-  }
-  :root[BookmarksToolbarOverlapsBrowser] .newTabBrowserPanel{
-    padding-block: 0 var(--bookmarks-toolbar-height) !important;
-  }
-  
-  /**************
-  Menubar options - By default, menubar is overlayed on top of web-content
-  ***************/
-
- /* Uncomment the following if you want static menubar on top of the window (make menubar enabled)
-  * Use when menubar is enabled to always show it */
-  
-  /*
-  #browser,#customization-container{ padding-top: var(--uc-menubar-spacer,28px) }
-  */
-  
-  /* OR, uncomment the following if you want menubar to appear below content, above tabs toolbar */
-  
-  #toolbar-menubar{ position: static; display: flex; margin-top: 0px !important; background-color: transparent }
-
-  /* set to "column-reverse" (without quotes) if you want tabs above menubar with the above option */
-  #titlebar{ flex-direction: column }
-}

home/work/programs/hyprland/default.nix

@@ -1,19 +1,82 @@
 {pkgs, ...}: {
-  wayland.windowManager.hyprland = let
-    locker = "${pkgs.swaylock}/bin/swaylock";
-    set-dpms = "${pkgs.hyprland}/bin/hyprctl dispatcher dpms";
-    locked-dpms = pkgs.writeShellScript "locked-dpms.sh" ''
-      ${pkgs.swayidle}/bin/swayidle -w \
-        timeout 10 'if pgrep -x swaylock; then ${set-dpms} off; fi' \
-        resume '${set-dpms} on'
-    '';
-    idle-script = pkgs.writeShellScript "idle-lock.sh" ''
-      ${pkgs.swayidle}/bin/swayidle -w \
-        timeout 300 '${locker} -f' \
-        timeout 330 '${set-dpms} off' \
-        resume '${set-dpms} on'
-    '';
-  in {
+  services.hypridle = {
+    enable = true;
+
+    settings = {
+      general = {
+        lock_cmd = "pidof hyprlock || hyprlock";
+      };
+
+      listener = [
+        {
+          timeout = 300;
+          on-timeout = "loginctl lock-session";
+        }
+        {
+          timeout = 330;
+          on-timeout = "hyprctl dispatch dpms off";
+          on-resume = "hyprctl dispatch dpms on";
+        }
+      ];
+    };
+  };
+
+  programs.hyprlock = {
+    enable = true;
+    settings = {
+      background = {
+        monitor = "";
+        path = "screenshot";
+
+        blur_passes = 2;
+        blur_size = 7;
+        noise = 1.17e-2;
+      };
+
+      label = [
+        {
+          monitor = "";
+          text = "$TIME";
+          color = "rgba(242, 243, 244, 0.75)";
+          font_size = 95;
+          position = "0, 300";
+          halign = "center";
+          valign = "center";
+        }
+        {
+          monitor = "";
+          text = ''cmd[update:1000] echo $(date +"%A, %B %d")'';
+          color = "rgba(242, 243, 244, 0.75)";
+          font_size = 22;
+          position = "0, 200";
+          halign = "center";
+          valign = "center";
+        }
+      ];
+
+      input-field = {
+        monitor = "";
+        size = "200,50";
+        outline_thickness = 2;
+        dots_size = 0.2;
+        dots_spacing = 0.35;
+        dots_center = true;
+        outer_color = "rgba(0, 0, 0, 0)";
+        inner_color = "rgba(0, 0, 0, 0.2)";
+        font_color = "rgb(111, 45, 104)";
+        fade_on_empty = false;
+        rounding = -1;
+        check_color = "rgb(30, 107, 204)";
+        placeholder_text = ''<i><span foreground="##cdd6f4">Input Password...</span></i>'';
+        hide_input = false;
+        position = "0, -100";
+        halign = "center";
+        valign = "center";
+      };
+    };
+  };
+
+  wayland.windowManager.hyprland = {
     enable = true;
 
     settings = {
@@ -22,16 +85,12 @@
       exec-once = [
         "${pkgs.waybar}/bin/waybar"
         "${pkgs.mako}/bin/mako"
-        idle-script
-        locked-dpms
       ];
 
       monitor = [
         "eDP-1,1920x1080,0x0,1.333333" # Laptop screen
         "desc:Dell Inc. DELL P2723DE 79RFH14,2560x1440,1440x0,1"
         "desc:Dell Inc. DELL P2723DE 39RFH14,2560x1440,4000x0,1"
-        # "desc:LG Electronics LG ULTRAWIDE 0x000219F2,2560x1080,1440x0,1" # Primary @home
-        # "desc:Fujitsu Siemens Computers GmbH B22W-6 LED YV3U164923,1680x1050,4000x0,1" # Secondary @home
         ",preferred,auto,1" # Automatically configure everything else
       ];
 
@@ -97,7 +156,7 @@
           "$mod, return, exec, ${pkgs.alacritty}/bin/alacritty"
           "$mod, D, exec, ${pkgs.rofi-wayland}/bin/rofi -show drun"
           "$mod SHIFT, Q, killactive, "
-          "$mod, L, exec, ${locker}"
+          "$mod, L, exec, loginctl lock-session"
           "$mod, V, togglefloating, "
           "$mod, F, fullscreen, 1"
           "$mod, P, pseudo, # dwindle"
@@ -124,10 +183,6 @@
         "$mod, mouse:273, resizewindow"
       ];
 
-      bindl = [
-        "$mod SHIFT, L, exec, ${locker}"
-      ];
-
       windowrulev2 = [
         # KeePassXC
         "float,class:(org.keepassxc.KeePassXC)"

nixos/celestia/configuration.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  mypkgs,
   ...
 }: let
   makeVirtualHost = {
@@ -38,6 +39,8 @@ in {
   sops.secrets."restic_ssh_key" = {};
   sops.secrets."restic_documents_repository_password" = {};
   sops.secrets."restic_images_repository_password" = {};
+  sops.secrets."protonvpn_wg_private_key" = {};
+  sops.secrets."telegraf_api_token" = {};
 
   imports = [
     ./hardware-configuration.nix
@@ -76,7 +79,7 @@ in {
 
     firewall = {
       enable = true;
-      allowedTCPPorts = [22 111 443 2049 4000 4001 4002 20048];
+      allowedTCPPorts = [22 111 443 2049 4000 4001 4002 9999 20048];
       allowedUDPPorts = [53 111 2049 4000 4001 4002 20048];
     };
   };
@@ -95,6 +98,7 @@ in {
     rtl_433
     dump1090
     rtl-sdr
+    mypkgs.nixvim
   ];
 
   users.users."root".openssh.authorizedKeys.keys = [
@@ -198,6 +202,15 @@ in {
           # "force create mode" = "0666";
           # "force directory mode" = "0777";
         };
+        all = {
+          path = "/tank";
+          browsable = "yes";
+          public = "yes";
+          "guest only" = "yes";
+          writable = "no";
+          # "force create mode" = "0666";
+          # "force directory mode" = "0777";
+        };
       };
     };
 
@@ -205,26 +218,6 @@ in {
       autoScrub.enable = true;
     };
 
-    gitea-actions-runner.instances = {
-      runner1 = {
-        enable = true;
-        name = "celestia";
-        url = "https://git.fuckwit.dev";
-        tokenFile = config.sops.secrets."act-runner-token".path;
-        labels = [
-          "nix:docker://nixos/nix:latest"
-        ];
-        # hostPackages = with pkgs; [
-        #   bash
-        #   coreutils
-        #   curl
-        #   wget
-        #   gnused
-        #   gitMinimal
-        # ];
-      };
-    };
-
     restic = let
       mkBackup = repo: paths: exclude: pruneOpts: {
         repository = "sftp:u169497-sub5@u169497.your-storagebox.de:${repo}";
@@ -248,43 +241,121 @@ in {
       };
     };
 
+    prometheus.exporters = {
+      zfs.enable = true;
+      smartctl = {
+        enable = true;
+        devices =
+          [
+            "/dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S1ATNSAF213446M"
+          ]
+          ++ disks;
+      };
+      systemd.enable = true;
+      node.enable = true;
+    };
+
+    telegraf = {
+      enable = true;
+      environmentFiles = [config.sops.secrets."telegraf_api_token".path];
+      extraConfig = {
+        inputs = {
+          influxdb_v2_listener = {
+            service_address = "127.0.0.1:9998";
+          };
+
+          prometheus = {
+            urls = [
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.zfs.port}"
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.smartctl.port}"
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.systemd.port}"
+              "http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"
+            ];
+          };
+        };
+        outputs = {
+          influxdb_v2 = {
+            urls = ["https://influx.fuckwit.dev"];
+            token = "\${TELEGRAF_API_TOKEN}";
+            organization = "fuckwit.dev";
+            bucket = "world";
+            timeout = "60s";
+          };
+        };
+      };
+    };
+
     nginx = {
       enable = true;
       clientMaxBodySize = "500m";
-      virtualHosts = makeVirtualHosts [
+      virtualHosts =
+        # Tasmota devices check /health of the influxdb2 server.
+        # Telegraf does not provide this endpoint so we fake it via nginx
+        # https://github.com/influxdata/telegraf/issues/16321
         {
-          subdomain = "jdownloader";
-          port = 8000;
+          "influxdb-proxy.fuckwit.dev" = {
+            listen = [
+              {
+                port = 9999;
+                addr = "0.0.0.0";
+              }
+            ];
+            locations = {
+              "/health".return = "200 ''";
+              "/".proxyPass = "http://127.0.0.1:9998";
+            };
+          };
         }
-        {
-          subdomain = "jellyfin";
-          port = 8096;
-        }
-        {
-          subdomain = "sonarr";
-          port = 8989;
-        }
-        {
-          subdomain = "radarr";
-          port = 7878;
-        }
-        {
-          subdomain = "lidarr";
-          port = 8686;
-        }
-        {
-          subdomain = "paperless";
-          port = 28981;
-        }
-        {
-          subdomain = "homepage";
-          port = 8082;
-        }
-        {
-          subdomain = "photoprism";
-          port = 2342;
-        }
-      ];
+        // makeVirtualHosts [
+          {
+            subdomain = "jdownloader";
+            port = 5800;
+          }
+          {
+            subdomain = "jellyfin";
+            port = 8096;
+          }
+          {
+            subdomain = "sonarr";
+            port = 8989;
+          }
+          {
+            subdomain = "radarr";
+            port = 7878;
+          }
+          {
+            subdomain = "lidarr";
+            port = 8686;
+          }
+          {
+            subdomain = "prowlarr";
+            port = 9696;
+          }
+          {
+            subdomain = "paperless";
+            port = 28981;
+          }
+          {
+            subdomain = "homepage";
+            port = 8082;
+          }
+          {
+            subdomain = "photoprism";
+            port = 2342;
+          }
+          {
+            subdomain = "immich";
+            port = 2283;
+          }
+          {
+            subdomain = "qbittorrent";
+            port = 8080;
+          }
+          {
+            subdomain = "shimmie";
+            port = 8000;
+          }
+        ];
     };
 
     paperless = {
@@ -326,6 +397,8 @@ in {
       dataDir = "/var/lib/sonarr";
     };
 
+    prowlarr.enable = true;
+
     jellyfin.enable = true;
 
     photoprism = {
@@ -341,6 +414,13 @@ in {
       };
     };
 
+    immich = {
+      enable = true;
+      host = "127.0.0.1";
+      mediaLocation = "/tank/images/immich";
+      settings.server.externalDomain = "https://immich.fuckwit.dev";
+    };
+
     homepage-dashboard = {
       enable = true;
 
@@ -467,15 +547,75 @@ in {
       backend = "podman";
 
       containers = {
+        shimmie = {
+          image = "docker.io/shish2k/shimmie2:latest";
+          volumes = ["/tank/dump/shimmie:/app/data"];
+          ports = ["127.0.0.1:8000:8000"];
+        };
+
         jdownloader = {
           image = "docker.io/jlesage/jdownloader-2:latest";
           autoStart = true;
-          ports = ["0.0.0.0:8000:5800"];
+          networks = ["container:gluetun"];
+          dependsOn = ["gluetun"];
           volumes = [
             "jdownloader_config:/config"
             "/tank/dump:/output"
           ];
         };
+
+        gluetun = {
+          image = "docker.io/qmcgaw/gluetun";
+          autoStart = true;
+          environment = {
+            VPN_SERVICE_PROVIDER = "protonvpn";
+            VPN_TYPE = "wireguard";
+            VPN_PORT_FORWARDING = "on";
+            SERVER_COUNTRIES = "Switzerland";
+            PORT_FORWARD_ONLY = "on";
+            VPN_PORT_FORWARDING_UP_COMMAND = ''
+              /bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORTS}}}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
+            '';
+          };
+          environmentFiles = [
+            config.sops.secrets."protonvpn_wg_private_key".path
+          ];
+          capabilities = {
+            NET_ADMIN = true;
+          };
+          devices = ["/dev/net/tun"];
+          ports = [
+            "127.0.0.1:8080:8080"
+            "127.0.0.1:5800:5800"
+            "127.0.0.1:8123:8123"
+          ];
+        };
+
+        qbittorrent = {
+          image = "lscr.io/linuxserver/qbittorrent:latest";
+          autoStart = true;
+          networks = ["container:gluetun"];
+          environment = {
+            WEBUI_PORT = "8080";
+          };
+          dependsOn = ["gluetun"];
+          volumes = [
+            "/var/lib/qbittorrent:/config"
+            "/tank/dump/torrent:/downloads"
+          ];
+        };
+
+        # qbittorrent-exporter = {
+        #   image = "docker.io/esanchezm/prometheus-qbittorrent-exporter";
+        #   autoStart = true;
+        #   networks = ["container:gluetun"];
+        #   dependsOn = ["qbittorrent"];
+        #   environment = {
+        #     QBITTORRENT_PORT = "8080";
+        #     QBITTORRENT_HOST = "127.0.0.1";
+        #     EXPORTER_PORT = "8123";
+        #   };
+        # };
       };
     };
   };
@@ -493,6 +633,7 @@ in {
 
       script = ''
         while read -r evt file; do
+          printf "handling $evt for $file"
           ${pkgs.coreutils}/bin/chown ${user}:${group} "$file"
           ${pkgs.coreutils}/bin/chmod 775 "$file"
         done < <(${pkgs.inotify-tools}/bin/inotifywait -e create,move -m -r --format '%e %w%f' ${path})
@@ -503,6 +644,10 @@ in {
       StateDirectory = "dnscrypt-proxy";
     };
 
+    podman-qbittorrent.serviceConfig = {
+      StateDirectory = "qbittorrent";
+    };
+
     ensure-radarr-perms = ensure-perms "/tank/video/movie" "radarr" "nas";
     ensure-sonarr-perms = ensure-perms "/tank/video/series" "sonarr" "nas";
     ensure-lidarr-perms = ensure-perms "/tank/audio" "lidarr" "nas";

nixos/celestia/secrets.yaml

@@ -5,6 +5,8 @@ photoprism-password-file: ENC[AES256_GCM,data:a0fqrjRDc2M=,iv:H/kLPIJsti8QsOJjwP
 restic_ssh_key: ENC[AES256_GCM,data:NK7WXhnnueZ6kVZJnjShZ/QaNXINrJ6+youN3EPBmNjiLBTJHFg4LVR3MCU1GaK2HJpbz3qEJa/kto9LPONRR0F6LO6/7U17O0fdzF7Ca7u4xHI7uKBE6x9/dhd5MHJ2yQpEUwJnTB6i/++OcbSfTJmp062jTgWxdarngt6skx0m5JIlu6lhLKyFzGa+cBIesFItredQ2SJroUC4rK3CiQLutuaBlhw90wys3T2uTtRRgzQ08AF90+JY5jqflZposQPT0ox+xEegOyZ4UJxX2WToxD998N7/eETxo2E94zL/5f2mGoubDxwPTZp8cPX+1g85tFjhn361OSgHBwgRRT3rs/js1xZkQQO2McKPyGZVHOzQ0GSrpvxiSiUZk8/49eynEkWUsY2YXQxvl3/s6r/Toh9Wbr9mo3X67A2phTx1beEnU8XMwWS/5ZnqtFNHvxC6tfkAIwblNvCc9mTigSYhOji9TBpcZNOCumY/MYzGSCzxSFXcOnsKZKjxdE3ByHFKcMvJ+uiaav000MbdplOOsYLCSpdQAAZH,iv:JFcu2GO8k7awfB8RV17tcFj5KhXmUxnzjnoEdmMaqxc=,tag:awy4njmuS/l5CCFqWdsy3A==,type:str]
 restic_documents_repository_password: ENC[AES256_GCM,data:rcQ5PsvJW2i3e2v1FqbqCOoqiblqFDsqRifzY6YxIKZTNSNrRPgqUduqei/0aSGJTNG+zYS4YRCooCZ/E7mYFg==,iv:IO6OGY+Dfai0Hl/NWT7bqqhTkfhXlUqqnJyQjm87fSw=,tag:K3D112tm+kC5OpEF2t+oZQ==,type:str]
 restic_images_repository_password: ENC[AES256_GCM,data:yNWUqZ9ddkfD15mO7NocUYwqNWPaTHXfLkMNq7yy5xgSG4I3G01mFTt5qCPbZ0n+Y6DFlhDQBLAC5SwOvVNggA==,iv:LqA7TG9TS7eyHZ/xqF+L1w5imPdogQGH0DyokaQj4Bc=,tag:1OLRp7VO8Lfy1nQcUr3OWA==,type:str]
+protonvpn_wg_private_key: ENC[AES256_GCM,data:cm4ytBg2lMDDppx50JxmEX8lC+x5bessRmIk60iSuYYCtb7DTlkcwROivz7oG/x1DXjvxjLPW9Y5wEE3GxXD8xo1,iv:B6TeBVC0d6S3XNhv7nSiuVI7nr3M1LeqYMuv0AxvG2c=,tag:RvhSLKRv1FDNntHFvtrelw==,type:str]
+telegraf_api_token: ENC[AES256_GCM,data:pCNHkdKlBhYW+IJuvdLgAsk2oXVIowvCVwy2uvJIJQ8DdtRgYgR4JIMcz4l8u+yTPyRPGSqdXnkojNeB9O7T8FM25lklrcRfeKL3ofSY8RJ1FiovcEGYjESi/A7sgrETFMD2QIO0kmZ+3qM=,iv:PKm2hp6+aInR2+AglHImjxIPBFU0FRjpMklranVgjiM=,tag:T/88jJJjkgYxisKZtZAyQg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +22,8 @@ sops:
             K0RaVVNSczZBcDNtaXhGem5iQnlVTDAK+XogkPQD2xYQ7sW8DwAXaaLA/ftw6vZM
             wsNs0uun9dgGjZIXcU6AIsrJeUiWBl5zgc6CCd/ad/3QxpmKj1p9Mg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-18T18:21:19Z"
-    mac: ENC[AES256_GCM,data:3QqYfYJpIb1kcd6Kh92BbfQIBrsniet3HYVR56V5g/eHRwJpy526A8Gpntc0vdu7Adpv/bbaaPzmCTeanhEXwXB38iXnEsWSsUBn/KyT0bhIi7HcXNfRM6al7cWA6YBwSyy12ElD0Bf/fX2ptUId39tOj3yr7Rg4VaXMr9gEsMk=,iv:s5LlkeHcjoqWeQDBQmoOTZWI7L18bJi/yz3yv8uGoSM=,tag:FH/CbzCyqBp1ebeKIPox8g==,type:str]
+    lastmodified: "2025-03-29T14:12:23Z"
+    mac: ENC[AES256_GCM,data:5og1eH8IKVj0UHPgv1qVyC+VgjL1uf7uuJR3w0Y8qqAwNjhyifCTLVRxIg+3EPKQH+w5H0uIovmnlPdRCdwDbkysBkFL6xAlDszouEDX5F+S5ZOZkpONSieeCNG+obVO1PLstLffb+Rh2OR4hhi0xH6D8ryH0yqe7o0tZROBaqo=,iv:Tw6EC4pZcrF4k2H89ZVKlDPT40x02cOrNVH6e57bIGU=,tag:luYMemQCAjHu9D9JgfvpCw==,type:str]
     pgp:
         - created_at: "2024-01-25T08:00:56Z"
           enc: |-
@@ -36,4 +38,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4

nixos/configurations.nix

@@ -1,11 +1,10 @@
 {
   self,
   nixpkgs,
-  nixpkgs-stable,
   sops-nix,
-  home-manager,
   lanzaboote,
   simple-nixos-mailserver,
+  nixvim,
   inputs,
   ...
 }: let
@@ -52,7 +51,7 @@
   }:
     np.lib.nixosSystem {
       inherit system;
-      specialArgs = {mypkgs = customPkgs."${system}";};
+      specialArgs = {mypkgs = customPkgs."${system}" // { nixvim = nixvim.packages.${system}.default;};};
       modules =
         defaultModules
         ++ [

nixos/framework/configuration.nix

@@ -16,7 +16,6 @@
     pkiBundle = "/etc/secureboot";
   };
   boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelPackages = pkgs.linuxPackages_6_11;
 
   nixpkgs.config.allowUnfree = true;
 
@@ -51,8 +50,10 @@
   services = {
     illum.enable = true;
     fwupd.enable = true;
-    fprintd.enable = false; # currently broken
+    fprintd.enable = true; # currently broken
     pcscd.enable = true;
+    udisks2.enable = true;
+
     tlp = {
       enable = true;
       settings = {

nixos/primordial/configuration.nix

@@ -1,20 +1,45 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: let
+  makeVirtualHost = {
+    subdomain,
+    port,
+  }: {
+    name = "${subdomain}.fuckwit.dev";
+    value = {
+      forceSSL = true;
+      useACMEHost = "fuckwit.dev";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
+
   mkWellKnown = data: ''
     default_type application/json;
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
+  secretFile = name: config.sops.secrets.${name}.path;
 in {
   sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets."gitea.env" = {};
-  sops.secrets."keycloak_db_pw" = {};
+  sops.secrets."acme.env" = {};
   sops.secrets."restic_mail_repository_password" = {};
   sops.secrets."restic_ssh_key" = {};
   sops.secrets."act-runner-token" = {};
+  sops.secrets."gitlab-db-password".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-initial-root-pw".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-db-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-secret-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-otp-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-jws-key-pem".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-runner-authentication-file" = {};
 
   imports = [
     ./mail.nix
@@ -23,6 +48,7 @@ in {
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 
   networking = {
     hostName = "primordial";
@@ -51,8 +77,20 @@ in {
 
   i18n.defaultLocale = "en_US.UTF-8";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "huanzodev@gmail.com";
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@fuckwit.dev";
+      dnsProvider = "cloudflare";
+      environmentFile = secretFile "acme.env";
+      dnsPropagationCheck = true;
+    };
+
+    certs."fuckwit.dev" = {
+      extraDomainNames = ["*.fuckwit.dev"];
+    };
+  };
+  users.users.nginx.extraGroups = ["acme"];
 
   services = {
     openssh = {
@@ -81,6 +119,41 @@ in {
       '';
     };
 
+    gitlab = {
+      enable = true;
+      https = true;
+      host = "gitlab.fuckwit.dev";
+      port = 443;
+      databasePasswordFile = secretFile "gitlab-db-password";
+      initialRootPasswordFile = secretFile "gitlab-initial-root-pw";
+      secrets = {
+        secretFile = secretFile "gitlab-secret-key-base";
+        otpFile = secretFile "gitlab-otp-key-base";
+        dbFile = secretFile "gitlab-db-key-base";
+        jwsFile = secretFile "gitlab-jws-key-pem";
+      };
+      registry = {
+        enable = true;
+        package = pkgs.gitlab-container-registry;
+        defaultForProjects = true;
+        externalAddress = "https://registry-git.fuckwit.dev";
+        externalPort = 443;
+        keyFile = "/run/gitlab/registry.pem";
+        certFile = "/run/gitlab/registry.crt";
+      };
+    };
+
+    gitlab-runner = {
+      enable = true;
+
+      services = {
+        default = {
+          authenticationTokenConfigFile = secretFile "gitlab-runner-authentication-file";
+          dockerImage = "debian:stable";
+        };
+      };
+    };
+
     matrix-synapse = {
       enable = true;
       settings.server_name = "fuckwit.dev";
@@ -114,97 +187,73 @@ in {
       recommendedGzipSettings = true;
       recommendedOptimisation = true;
 
-      virtualHosts."fuckwit.dev" = let
-        serverConfig."m.server" = "matrix.fuckwit.dev:443";
-        clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
-      in {
-        enableACME = true;
-        forceSSL = true;
-        # This section is not needed if the server_name of matrix-synapse is equal to
-        # the domain (i.e. example.org from @foo:example.org) and the federation port
-        # is 8448.
-        # Further reference can be found in the docs about delegation under
-        # https://element-hq.github.io/synapse/latest/delegate.html
-        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-        # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
-        # Further reference can be found in the upstream docs at
-        # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
-        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
-      };
+      virtualHosts =
+        {
+          "fuckwit.dev" = let
+            serverConfig."m.server" = "matrix.fuckwit.dev:443";
+            clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
+          in {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
+            # This section is not needed if the server_name of matrix-synapse is equal to
+            # the domain (i.e. example.org from @foo:example.org) and the federation port
+            # is 8448.
+            # Further reference can be found in the docs about delegation under
+            # https://element-hq.github.io/synapse/latest/delegate.html
+            locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+            # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
+            # Further reference can be found in the upstream docs at
+            # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
+            locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          };
 
-      virtualHosts."matrix.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-        # It's also possible to do a redirect here or something else, this vhost is not
-        # needed for Matrix. It's recommended though to *not put* element
-        # here, see also the section about Element.
-        locations."/".extraConfig = ''
-          return 404;
-        '';
-        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
-        # *must not* be used here.
-        locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
-        # Forward requests for e.g. SSO and password-resets.
-        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
-      };
+          "matrix.fuckwit.dev" = {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
+            # It's also possible to do a redirect here or something else, this vhost is not
+            # needed for Matrix. It's recommended though to *not put* element
+            # here, see also the section about Element.
+            locations."/".extraConfig = ''
+              return 404;
+            '';
+            # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+            # *must not* be used here.
+            locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
+            # Forward requests for e.g. SSO and password-resets.
+            locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
+          };
 
-      virtualHosts."vault.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
+          "gitlab.fuckwit.dev" = {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
 
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8000";
-        };
-      };
-
-      virtualHosts."git.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8001";
-        };
-      };
-
-      virtualHosts."grafana.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8002";
-          proxyWebsockets = true;
-        };
-      };
-
-      virtualHosts."influx.fuckwit.dev" = {
-        enableACME = true;
-        addSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8003";
-          proxyWebsockets = true;
-        };
-      };
-
-      virtualHosts."sso.fuckwit.dev" = {
-        enableACME = true;
-        addSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8004";
-          proxyWebsockets = true;
-        };
-      };
-
-      # virtualHosts."drone.fuckwit.dev" = {
-      #   enableACME = true;
-      #   addSSL = true;
-
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:8004";
-      #     proxyWebsockets = true;
-      #   };
-      # };
+            locations."/" = {
+              proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+            };
+          };
+        }
+        // makeVirtualHosts [
+          {
+            subdomain = "vault";
+            port = 8000;
+          }
+          {
+            subdomain = "git";
+            port = 8001;
+          }
+          {
+            subdomain = "grafana";
+            port = 8002;
+          }
+          {
+            subdomain = "influx";
+            port = 8003;
+          }
+          {
+            subdomain = "registry-git";
+            port = 4567;
+          }
+        ];
     };
 
     vaultwarden = {
@@ -241,14 +290,10 @@ in {
         labels = [
           "ubuntu-latest:docker://node:16-bullseye"
         ];
-        # hostPackages = with pkgs; [
-        #   bash
-        #   coreutils
-        #   curl
-        #   wget
-        #   gnused
-        #   gitMinimal
-        # ];
+        settings = {
+          runner.capacity = 5;
+          cache.enabled = false;
+        };
       };
     };
 
@@ -288,37 +333,13 @@ in {
         };
       };
     };
-
-    # keycloak = {
-    #   enable = true;
-    #
-    #   database = {
-    #     type = "postgresql";
-    #     createLocally = true;
-    #     passwordFile = config.sops.secrets."keycloak_db_pw".path;
-    #   };
-    #
-    #   settings = {
-    #     hostname = "sso.fuckwit.dev";
-    #     http-host = "127.0.0.1";
-    #     http-port = 8004;
-    #     proxy = "edge";
-    #   };
-    # };
-
-    # drone-server = {
-    #   enable = true;
-    #   config = {
-    #     giteaServer = "https://git.fuckwit.dev";
-    #     serverHost = "drone.fuckwit.dev";
-    #     serverPort = ":8004";
-    #     serverProto = "https";
-    #   };
-    #   environmentFile = config.sops.secrets."gitea.env".path;
-    # };
   };
 
-  virtualisation.podman.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    dockerSocket.enable = true;
+  };
+  virtualisation.docker.enable = lib.mkForce false;
 
   users.users."root".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"

nixos/primordial/mail.nix

@@ -16,6 +16,7 @@
       };
     };
 
-    certificateScheme = "acme-nginx";
+    certificateScheme = "acme";
+    acmeCertificateName = "fuckwit.dev";
   };
 }

nixos/primordial/secrets.yaml

@@ -1,13 +1,15 @@
-gitea.env: ENC[AES256_GCM,data:wkSPzLQtL3vGNIjG+jG6I3+R7wLBBdXeaCHbKxMbpVOldo8zrPLu8HdoryneRro58d7D9Cao9x+n5SvYNfGwHPgDJG8saXTeyEffIWIKNC+5+8fjiWwIkAvstckmZjSLitVxcwhifs49jmZgW/xQBPEPiAHzVkjeueV7p/Jm9WgyD2ycPrKUvNEYJ6DWZqQq9r10Y/KsRZsvRzF2cp6YeX7YGjW7E2wuQz9yy8gOFHxmoJxAc4zM7XaKZWKtow1UPCjTtxiY7qRkWK7KQt21Xf3FCsU=,iv:qQv7hbqh3Kl6sE/XW37D9AbYt4gLJw5BnfbbLIkzOd4=,tag:g6Cecvdb67W01HvIULNzsQ==,type:str]
-keycloak_db_pw: ENC[AES256_GCM,data:1oBqzpFokAmjkT770YKYwzCllaGTprtDR9W4B/+V6ZUXPhJ1R9DNWZHqpQ==,iv:dK36GBiDj12HVjUkZqTVk/rR6s1sf6dmQTk1ZJQwi+I=,tag:6Ix9QSf+A0U82sG0z8wSmw==,type:str]
+acme.env: ENC[AES256_GCM,data:+EwmrLsjjOvvXOBgbI5T2e98pJ+PImvbaCd5/9cvqmPWurzGe1H2fjBOguDf5Mb64eZXaL7jbZxeTqT1T/w32+Y=,iv:tBuFM3V6jW7M3eXb2cwK8ZoKqfEfMxHC31GvF0GTOJs=,tag:Z/vDDFAp2cY7UarPWT/ykg==,type:str]
 restic_mail_repository_password: ENC[AES256_GCM,data:B2XAP9tnztl/c7HB7bHywfJcwV9sLahfqCfI0TajWaWHPhRsZow4yxhn813FN4pINb5i1kYyiRG/sMXMKAFo9g==,iv:pQnVRVtuhcVtH/Kot9hcx8DSA4qlkksuUiY8HaOawfk=,tag:4lbmh8bQDSVNbI06/gNUlQ==,type:str]
 restic_ssh_key: ENC[AES256_GCM,data:HpS73OEFvqSLYg8Qh1syJEjCfv5og5VxxzK2VPmAFRk5BzM4xF3Dn0cmJtQpwMMwaRGRWFdCTMrQCBWRrLgDt7wUyMpBn1HivLr4nwEOU4oDStv+1zKmrNbWLSYw3TbHoNJ2K+C46lfpV9CBdb+8dmv2vto6HoKFrOYc5/ftYd7lD9zMhueAMCc3q7aPsIFGb2TRGNz1wrF6Cn9ew1Oqh/P7xlUuIgS0kAKRrybhiIO9IUgQsTV3qqZIXogP4Yy2OLSyhbtDuvtLAncL2pJ/ZsGme47G8HoFomyqEIf0eq7YKqlpTqKPbbnxfWSlWYGg+l9OtCJOeyp5oEZ6sjPNdTUYjpcVZpHNEEa2zkaZzRj5Jo/GIiJfCu4F0kk4opbqEUTeDQHgesylxwpd/v5zaplGEqpYZ7y/DAud+YUw7XWYWjy60kjlZdkbKwrL/Cg4dxWY8Cc7v42Ve7aADgSEpEhwo5rHxM3JSVHHHunfC6y+/Qin26wQZhF1w+d8/yqSaJidx6FsDSipGCJtXa9liIG7oG2vUlmYm4rE,iv:d/AFzPAJGSGv1WzQY4+p8mImFoWKkaoMRtIBNAYiU0E=,tag:mdE/e2VX5zdrFT43NZaYNQ==,type:str]
 act-runner-token: ENC[AES256_GCM,data:QEiYYYg8fZQIwVPT+vG2Eo8JO9y5PgVJBm5E1UlujANigQKvVkhPbVtulIB1Fg==,iv:V88x7xqYlbZuawPFU824bZtvM/b44BBVIjhnmtdYCwo=,tag:PgQcH1nkRpHCiBBMCSXfxg==,type:str]
+gitlab-db-password: ENC[AES256_GCM,data:2TEOCeTjbD+SddZej0Bt2nXiJO032IT4Z43I49ChW18=,iv:65G3bjLO+ebhJfG8DEWG7EImsLheR7YUxikU6x+xj0M=,tag:GoQBrYPAlzdz7oscL2ie6A==,type:str]
+gitlab-initial-root-pw: ENC[AES256_GCM,data:Q+0cg6lNctY=,iv:Z+9AlxlQ5YsEWg+ff1rPWfiBDJM/wAqvNKPHQ+s8CiA=,tag:1PVqV8qXLyiKDwr02sg9tA==,type:str]
+gitlab-db-key-base: ENC[AES256_GCM,data:zzuYk07Tk4ti4k0y/lSDqrhDxdr5YqqKP5DUl0nCO1s=,iv:nKC3OkOxo+CrGTBvDPQkjps5OYrO/QPtGTY6uQsAUi4=,tag:tgRK3oUD9ZJy/DtKVkawDg==,type:str]
+gitlab-secret-key-base: ENC[AES256_GCM,data:wXaad/yooHobhuKS+BFxiy29g0iUmFn5rLRmEMWchoQ=,iv:6JFjgkfgfTNr59v+PvIKItYJXtycGffmc7gJtyeHzMg=,tag:Nll20xSIXd2DoWcd1MJojw==,type:str]
+gitlab-otp-key-base: ENC[AES256_GCM,data:3LGpjpqaQdeO7v3waFCZDVVKtgXl3h0N/XiBcqlW2Kc=,iv:Kk1Af6FoTs+kejHmTL3FXoQJ9XAV+2J5+xC+heGbKu4=,tag:EI0agVoGUVEqphCCFfRwLA==,type:str]
+gitlab-jws-key-pem: ENC[AES256_GCM,data:LUyY4Ri2Ky7LRnx5azAM6xCMolZbBskHQIwBax3wwOy8QROP5tsK+ABZYVkPNjmooNrdSBECjBfy//TI4qauYJoresMK0rnQbwJQSAmmMmDHxBT7Qt0oY2sUZ2Ohf2mx2lsmzCCesJX2mXOKyOQR/P4xmrGcE64km5e9q6wU3wkKECg72BCpUAIOkpDHtq6f87rtGSKnXLjXItw7A6IuK75s0nGJUH6zomocuWPbNVE44QAfR1Ib2UZrl1Vk20hQWhAaAZajYrGIshaHKvm0K+DpgMu7qca0HNV1fKtcuMM5s2XXpUZS97pHBXjhdGigHQ+zPm4paajQqtffXUdiO7vui+kNW/p+gCON3dmYEMXv35Q/VpinVhahnNM7y3xKIHTl2O1jdUtwJLWeBTfiul2dt/143wIsasr0qW3lx4eSmg8oKK6CJsA6Ujbo5w5Oifso5MMxKJ7kQzcVNAHM2sWn9b2G8iVZ/o1158CMv1Sz5zhfintIwoTjbcOOrk3Njchcq8RVGRaE4A0hdPLFk+MNFw3CenZNe5aBY/1sOFoL4r6GGl5p+1Bvjm84OHDbXvSaA/tBVDvjw3LXLi5OTHlahcdMrxVhMxy4OY7A5EKfrN0KkoSYg3U8nw7fcgI9bUgp53H0mQafGHY+2I9b7k6o3v6kbYy8TyPrk06tBOISj3MwO9S4GT195i5sI9NMQwE2pOl1gzWXa4wBoLHu8zWWr1UHuQLbfH9ipbVehB2uwp7LU6xm5PIW43S9zcAOMM/p3cFLjSc/qBeSktvetzw9ucFeCOm9eTuq8fgImd+DzzwGkHy7mFJJQE/dvV4yAbNiGHDqlBMYuwxd3vdKCVcGCH3cBveusXILj53QL3FKAHFaoASKpgFCWD1BrBeLwhb3kdZqtTacS9EEqUxG1jzURcpA3vJVG62vKbcZ0GWuZvDlYh+EwEGcAEQWeP3impO1kn77TU3st+ZcUP7HINB+n4WRxCNvI67T6rfAtr/s7+8oGZLiD+1wtSip7to7rbHAj8ZiMDN1r5EGnelGfPpohRTrapIfwHu3mIHYceEdywqe2odY+MrUrMUuFgVaXgIN4xGMyiHhW3IKPVHT5ujJU/Qqark/9wiXAMBiDVHxHdJK/xeYq18hIYqXImdqMaK1nzZYa2rUnRWuFZnZELuiuvaYs6VumF8NJKhBamzjiQt4JdohQIzln8nqkA5Qf3pWGitmMDXp7FlbRQgPh84V/sBE+2aur1oLAPAa07oarOsjXity3eUhCjdwtgLIcCGph+8/srFy7BcYR6bu+qIEesaxBKw1HEGWkPctMk8bW8iYqgP3BmGru6SQqDPofISBxRJWhjrrrd3plmk9vBv8xcVehZ6nrCbvsgIku3kIqaBbbHTXCCoJeKm6aHkOkt+YCPEsroAONz3gYG4FwRKTeIh2ICqmqK0JjYj6jHVXUubOVwFTlEfrj4lr8hBNpIzAdIprzh5jCsSVjkBSrQqKcpNAB2oQReAZqxnnqCVfjc7LotagSvsPeuan5h3sx/RikqrK47EvpDk6QguoCOBO43yyBx9uGW8pmyvytR+6LzGQA2WS2o8mQyDxGsnfVO5iCY8e9XRWvoF4srjzFe1Zu/2ah7VaDpe8302PUV8oh6l1gFi9NAq7tkD3qAdvE8X7TEnN0bcXsDte80zjpY+pVdsvWpTU8ojl0YeHkuqeCijJ+iikJCbwwhYDE3DsiDvPH39O+twaTLjQ/9tAQiOOrVWrU3dXilqcBY41qsbCbtKquRv6wu6Wh4mSJnRDYqQUYDMLFMr5i0xqVK6nwx1sDecJ7iRCOI0gHsu2AquzK1KQ4dv3zkiXmRbeWgntKu8PnLhz4S4sj055DH/Lo5OxfKhkcZV2g3awThLzKGd8NTtR9oiqKuIOrLsqd0UzfWMIWP4BCeKcTi9FV359uhUO646/Fon65vbqu3Ej32ueA/4D10a2cFnk9aO3EFlihMS6XSENPbkXafrQsNleZJvd267RpprVDxQFGmASEU1sMcoPVY481OeDcQPb+xq4spUc0TpsU249yYXjrzclzx9pluwpQy6/pxH+eACybqHg3OixPxfKhoYwJ+nCdoQWRHA53thU4VcCnVbInESE9hs0OfxCuA4XkTFIxn93T8VrPiIAQZlTdd4mEW/8zlWPbwZMJAIuFgPpd3hRhch9mC19wpM/AxBoVKEy63kPRv7AHhBITXXLJJa6cLybxF/ioj3w81vFHzsMiBbSM/I9B2SINidvtI/NuWEx2/EdRL29ahKbmXkGLZ0eUUp0Vci1FFZkV+4gR6W5HQDHc34Upxgd0q8FEgmw3MT+QMaDSVZ4DNT207sHFQgcpfuXzjioA2DDG62qa7HXinm0brCIIq0qpmtavIMFS+ycqqUGO4fSA/LAQT6AvzV51gC84cU1pMgW5bjFq9MlNC+kGp4VGS34Dv1QxuUFepgQGMQgqpStNIB25QSVo8R59+8PmhZTT8jl0j5Vx7fhDJNnIsvN+0EcbITlB4CXjW5T5O+ju8uFELeavxm0imYYIdVnrT4MRZrIn8+yIxqZhLv5SF3ZtKZOb2Ij/R4CePWjrVoRU1Uzo04MZOYz3q9Fv+P2fnZVJB725tTehLUWy423ARQtFarB6REoaTY58z5ggoHrNW/Pb8JpS8kNsSS+PtSGP1NLcLtAlBXjt1TfyrLMBfatu13ww70yS/4CGok1GmLIhE5NVdM1xcUvhvNqnY6UpALcwrRr4jUTR9pH81Cb7i2YwduGbfvdn0I+BwauAhArlI3n8Z88lbqMJ3/OPHbDq9DvD9hGH1qZrj7WaX8Fd22u3F3cxAOusOv7to3pjhG4IZQYaV5WMc1WtOspowG7O5R2ZHxLJR2o05VJde9dGI79WJcLhIcm7rETGFm2iHc/X4PqsZKFHXqNWJDlYW+K2uwZXHO0m2XpF1pkHu8iCdEIofxfFT3LGPq6iUxCCXifj3pC+FPA/1F+fxAJp8TkE3ATrZu2hdAhZgmG1Q/2AQo4aZiaTc6oQhnXwheuIpF0XAzgtnMPRlHkEoxr+NdjSpPbSuEWDN3lAC4ZSa5hF03No+9nQmuPVl+k9hdch+rd+iIih/MB3MTqMm6E11wk/Nj09BJnhiudTo0htSo2rFOLhWz9GsHauxwONWTzpFsJzp3US8DtZXQQ+UDAASmAyJharVrfhY/vyD7JXeakAqWMcP5oFzAZwzmQS2lrg/DMT9fXvPNCUGPvwcGeYqm0403OItOQInysdh1pugwlERNBSbaP4EfA0KIH9SyjuOBz23rEKI1CZPrzRCUTRSDLJFvIuYzlsZ/+s0bhvvyuKonKU+28DQBUYdV1T9cTFRei0Y1LDPuicutzT4wCNKCg/8iqqH6jWHVHhy9U/So6AZBqvMZSvAwdn5vCUuc0KcB7VgA5OKE6Dmt5NF8daoRpzSNECWNEhiTHd6T+9Ktbriae66mfrO0QbFn92NJT4xunreRsmXnUQKb1Rsboswzy6bDHucgFHBY2GiP95ckw17MxTDLwi4nym/tR2XG7ml2iseTwByraFhX8DTPNMu5d8pgi0SfI4bwxwXdLW4kpFXaH3nbkgal5MkfkdWKH8ve+fXozQm9hkiFH3rYNYlXzgPm0pPZVZCh9+xIbnbKjVT9/22iNwu1XIzIDh2soo9/FX9yN+VwCZHwtOJ0qUSk6SP3ts1a6Q1v2K6etfDGzfbQXlT7TC2/imW+ifF60+k2KepaYeqRSG7tDtc+QATg7d7arNBYKB1pDaVId6jeO6oa72KZ1UH08ypGjH6lwFnqWRC2p+hXDTpq0yLg4c+0cHmIxtcSDDdlIFFkXkjp84OZ0ciZ4c8zFVMulFDzHndeOx72Dv+uf8MSq6w4Aqq9bO4v+7U62oI0sFo6IHzVUVVWVxo8KY44w60JP0iKDdy3LoKm2MA+bfIiaZYHEqkv3LDf17ng290aerGKemDPdO0fNTb8jHKklwbxs7q6YabZOuOwccB5losdXjhWzprCq2vYDSLiQHlPuCF5RNd86PvUhTbMhhDotU92TdwO5QxMqQjw3pdoEBTgq5gY7YMBpu/iMxMjmMaghI++R46CZ/a1od75kTtRF886Fl8IZHxOpVnTyJIfAM0cCQQaMiGG6SewMWpgJ7P8+0wsow9WIsfEZfzGST7AVA+Rqnsoz6i5XhUu0GtolftefpKwWoWzXGnClPx1B/jo7Ev6QpVw7a/5tMF8be5y7J2Yiz+Et49nAGrih9RCGIqgpofT2Ez6xm+XNBqB7ZKHTYorlHW1oHbBLn53+yv6TR7wf4kfMRGaRzzCigl2gyukaKVsHymkV2AwNHnraA6+AXIU=,iv:/+l13lQ/8tvLt+SHO03H8dBsUyoIDVhfas1v2n1RYPc=,tag:3Q91nWeZT8PQo/EWq8/6DQ==,type:str]
+gitlab-runner-authentication-file: ENC[AES256_GCM,data:M0dn62YNywEs08eHM0EcLJJfldsqlxrdeyJJSzp7yS3EO1umQPoPrlNnrZpwjLH2EDyMP81M/S5kPoR70ckB0LYt4w2d7Iao+6/WCvIGrhhN5WPejvg=,iv:qopX16X0dfrzjQ1vMuxWIouV96dig70iDU6dX4Y4Lc0=,tag:ZVac+M3OyMtLbJWM/1CPMA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age12u7ayy2q5dps2pcpc6z7962pz07jxv3tt03hna6jyumlu4fdjvtqdg2n3e
           enc: |
@@ -18,8 +20,8 @@ sops:
             V1h2NGxyNVc3WnF2ZFBpQm1oK1AzeGcK4GoD2E8nwOl/WKtgMgs0Y1Q8abRX4mpy
             GdHGDQUWvySCisJo4JXsooYkLjOyKvir+vcVbX4nDd4L1W2OMULkrg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-10T21:24:52Z"
-    mac: ENC[AES256_GCM,data:8zOgUn3QPUk6pZxaAVYN+yxIBRAihG9UpHEWSR37gQUT2hYG6ddHDBF56u0G0Hmpa2jUHUNw7hKe2YH7UVxc84Gmsv2oAQL6TPhgtwDBazViF0N9imt3+SEphx0t9Is58pzgFNp7uqy45GaoFtuQ1DIQOG090mHTLHZpnf1YL8o=,iv:EDNwgcGDqAZK4ZSQHxTjyLGhwKkK/TriyeL1FJ6J/Cs=,tag:5WZk+MnZb0kLrVrs601SiA==,type:str]
+    lastmodified: "2025-04-05T16:20:30Z"
+    mac: ENC[AES256_GCM,data:eofNTFKPcT8oyhhjyEXtoLsNpaXZh+cinYARB6+cgNQiDSmrT4nO8V4VS6EWcL6RAqGLtd0UkEhHJN05JMrwyS3teCeC+/2opqJa0XN8OeYZSSUfDEW5ilN7Ms7UW1+2N/7FkJgvEkpAA08HCUoDdruRb0HPYG74RmTy2Q2Wz/Q=,iv:Nffwz6l1qBHvsMri3JhNY1xJqgcB/LGjZ6tDQeG8n50=,tag:/LDX2/MWvpaLwfJuqZ0zQQ==,type:str]
     pgp:
         - created_at: "2024-01-25T11:10:44Z"
           enc: |-
@@ -34,4 +36,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.1

outputs.nix

@@ -2,8 +2,6 @@
   self,
   flake-utils,
   nixpkgs,
-  nurpkgs,
-  deploy,
   home-manager,
   ...
 } @ inputs:
@@ -13,7 +11,6 @@ in {
   packages = import ./pkgs {inherit pkgs;};
 
   devShell = pkgs.callPackage ./shell.nix {
-    # inherit (deploy.packages.${system}) deploy-rs;
     inherit (home-manager.packages.${system}) home-manager;
   };
 
@@ -45,18 +42,4 @@ in {
       imports = value._module.args.modules;
     })
     self.nixosConfigurations;
-
-  # deploy.nodes =
-  #   builtins.mapAttrs (name: value: {
-  #     hostname = value.config.remote.ip;
-  #     profiles.system = {
-  #       sshUser = value.config.remote.sshUser;
-  #       sshOpts = ["-p" (builtins.toString value.config.remote.sshPort)];
-  #       remoteBuild = value.config.remote.remoteBuild;
-  #       path = deploy.lib.x86_64-linux.activate.nixos value;
-  #     };
-  #   })
-  #   self.nixosConfigurations;
-
-  # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy.lib;
 }

renovate.json

@@ -5,7 +5,7 @@
   "lockFileMaintenance": {
     "enabled": true,
     "schedule": [
-      "at any time"
+      "0 10 * * 0"
     ]
   },
   "automerge": true

shell.nix

@@ -2,8 +2,6 @@
   mkShell,
   sops,
   colmena,
-  # deploy-rs,
-  nixpkgs-fmt,
   nil,
   alejandra,
   home-manager,
@@ -12,8 +10,6 @@ mkShell {
   nativeBuildInputs = [
     sops
     colmena
-    # deploy-rs
-    nixpkgs-fmt
     nil
     alejandra
     home-manager